IRS Wants to Buy Internet Mass Monitoring Tool

The IRS wants to purchase an internet monitoring tool from a company that has sold products to sections of the U.S. military and the FBI, according to public procurement records. The company, called Team Cymru, provides access to “netflow” data, which can show activity on the wider internet, such as which server communicated with another. This is information that may ordinarily only be available to the company hosting the server or the internet service provider carrying the traffic.

The news shows federal agencies’ continued interest in Team Cymru’s data and products. The procurement records show the IRS also wants to buy subscriptions from a variety of cybersecurity companies, suggesting the intended use case may be defensive in nature. In essence, Team Cymru’s products let cybersecurity professionals monitor activity outside of their own networks and observe what is happening on the wider internet. This may benefit defenders in identifying hackers’ infrastructure, but multiple cybersecurity professionals have previously expressed concern to Motherboard about the sale of netflow data.

“65 days traffic history,” one of the procurement documents reads. Jack Poulson, who runs transparency organization Tech Inquiry, first flagged the procurement records to Motherboard. The documents show the IRS is seeing if a contractor is able to provide the Team Cymru and other subscriptions at once.

The IRS is seeking a purchase of Team Cymru’s “Recon—Advanced” product, the procurement records show. Recon provides access to “internet traffic telemetry” according to Team Cymru’s website. On its site the company describes this data as “the world’s largest Threat Intelligence data ocean.” Team Cymru says its product can be used to “trace malicious activity through a dozen or more proxies and VPNs to identify the origin of a cyber threat.”

Three sources previously told Motherboard that Team Cymru works with ISPs to access netflow data. Keith Chu, communications director for the office of Senator Ron Wyden which has been conducting its own investigations into the sale of sensitive data, previously said Team Cymru told the office “it obtains netflow data from third parties in exchange for threat intelligence.” Team Cymru then sells access to some of that data through its own products, and customers may use it for their own purposes.

While some of those are geared around cybersecurity, Avi Freedman, CEO of network observability company Kentik, told Motherboard some people have other use cases in mind. Freedman said hedge funds wanting to study the economy have approached his company in an attempt to access netflow data.

“Since it’s our customers’ data and not ours, for us the answer is just no,” Freedman told Motherboard. Freedman declined to name specific companies because by the time an inquiry for data like this comes in, “we are generally under NDA,” he said.

The Treasury Department acknowledged a request for comment, but directed the inquiry to the IRS and IRS Criminal Investigations, which investigates a wide spread of different crimes. An IRS spokesperson then acknowledged that request for comment, but stopped responding to emails.  

Motherboard previously revealed that a whistleblower, after they said they first followed the official Department of Defense reporting process, contacted Senator Wyden’s office about the alleged warrantless use and purchase of netflow data. NCIS told Motherboard at the time the agency “uses net flow data for various counterintelligence purposes.”

One source previously said they saw traffic from an organization they knew inside Team Cymru’s dataset and were spooked at the time.

Last week Motherboard published an internal FBI document that showed the agency paid tens of thousands of dollars for access to netflow data. The sale was to the FBI’s Cyber Division, which investigates hackers in the worlds of cybercrime and national security.

Team Cymru did not respond to a request for comment. The company previously told Motherboard it does limit what data is returned to users but did not specify what data actually is provided to a user of the platform.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.